SailPoint Integration Guide - usermanual.wiki · Installation and configuration in ServiceNow ......

SailPoint Version 7.2

Integration Guide

Copyright 2016 SailPoint Technologies, Inc., All Rights Reserved.

SailPoint Technologies, Inc. makes no warranty of any kind with regard to this manual, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose. SailPoint Technologies shall not be liable for errors contained herein or direct, indirect, special, incidental or consequential damages in connection with the furnishing, performance, or use of this material.

Restricted Rights Legend. All rights are reserved. No part of this document may be published, distributed, reproduced, publicly displayed, used to create derivative works, or translated to another language, without the prior written consent of SailPoint Technologies. The information contained in this document is subject to change without notice.

Use, duplication or disclosure by the U.S. Government is subject to restrictions as set forth in subparagraph (c) (1) (ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 for DOD agencies, and subparagraphs (c) (1) and (c) (2) of the Commercial Computer Software Restricted Rights clause at FAR 52.227-19 for other agencies.

Regulatory/Export Compliance. The export and re-export of this software is controlled for export purposes by the U.S. Government. By accepting this software and/or documentation, licensee agrees to comply with all U.S. and foreign export laws and regulations as they relate to software and related documentation. Licensee will not export or re-export outside the United States software or documentation, whether directly or indirectly, to any Prohibited Party and will not cause, approve or otherwise intentionally facilitate others in so doing. A Prohibited Party includes: a party in a U.S. embargoed country or country the United States has named as a supporter of international terrorism; a party involved in proliferation; a party identified by the U.S. Government as a Denied Party; a party named on the U.S. Government's Specially Designated Nationals (SDN) List; a party prohibited from participation in export or re-export transactions by a U.S. Government General Order; a party listed by the U.S. Government's Office of Foreign Assets Control as ineligible to participate in transactions subject to U.S. jurisdiction; or any party that licensee knows or has reason to know has violated or plans to violate U.S. or foreign export laws or regulations. Licensee shall ensure that each of its software users complies with U.S. and foreign export laws and regulations as they relate to software and related documentation.

Copyright and Trademark Notices. Copyright 2016 SailPoint Technologies, Inc. All Rights Reserved. All logos, text, content, including underlying HTML code, designs, and graphics used and/or depicted on these written materials or in this Internet web site are protected under United States and international copyright and trademark laws and treaties, and may not be used or reproduced without the prior express written permission of SailPoint Technologies, Inc.

SailPoint Technologies & Design, IdentityIQ, IdentityNow, AccessIQ, Identity Cube, Managing the Business of Identity and the SailPoint logo are registered trademarks of SailPoint Technologies, Inc. SecurityIQ, SailPoint, Identity is Everything and The Power of Identity are trademarks of SailPoint Technologies, Inc. None of the foregoing marks may be used without the prior express written permission of SailPoint Technologies, Inc. All other trademarks shown herein are owned by the respective companies or persons indicated.

TableofContentsChapter1:Overview.............................................................. 1WhatisSailPointIdentityIQ? .........................................................................1SailPointIntegrationGuideOverview ................................................................1HealthcareIntegrationModule ....................................... 3Chapter2:SailPointEpicIntegrationModule...................................... 5Overview............................................................................................5

Important consideration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5Supported features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6Supported Managed System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6Pre-requisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6Administrator permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7Configurationparameters ............................................................................7SchemaAttributes ...................................................................................7Account attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7Group attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9ProvisioningPolicyattributes ........................................................................9Troubleshooting.................................................................................... 11

EnterpriseResourcePlanningIntegrationModules..................13Chapter3:SailPointSAPIntegrationModule.....................................15Overview........................................................................................... 15

Supported features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15Supported Managed Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16Pre-requisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16Administrator permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17Configurationparameters ........................................................................... 21Schemaattributes................................................................................... 23Account attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23Group attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .27Schema extension and custom attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .28 Upgrade considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .28ProvisioningPolicyattributes ....................................................................... 28Create account attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .29Additionalinformation .............................................................................. 29Entitlement validity period . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .29CUA support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .29Entitlement Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .29Password Change . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .29Logon and Communication Language attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .31Delta Aggregation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .31Partitioning Aggregation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .34Troubleshooting.................................................................................... 34

Chapter4:SailPointOracleE-BusinessSuiteIntegrationModule .................39Overview........................................................................................... 39Supported features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .39Supported Managed Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .40Pre-requisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .40Administrator permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .40Configurationparameters ........................................................................... 43Additional configuration parameter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .44Schemaattributes................................................................................... 44Account attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .44Group attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .45ProvisioningPolicyattributes ....................................................................... 46Create account attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .46Create group attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .47Additionalinformation .............................................................................. 47Upgrade considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .47Troubleshooting.................................................................................... 48

Chapter5:SailPointSAPPortal-UserManagementWebServiceIntegrationModule49 Overview........................................................................................... 49

Supported features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .50Supported Managed Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .50Pre-requisite . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .50Administrator permission . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .51Configurationparameters ........................................................................... 51Schemaattributes................................................................................... 52Account attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .52Group attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .53ProvisioningPolicyattributes ....................................................................... 53Create account attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .53Create Group attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .54Additionalinformation .............................................................................. 55Undeploy .sda file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .55

Chapter6:SailPointPeopleSoftIntegrationModule..............................57Overview........................................................................................... 57Supported features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .57Supported Managed Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .58Pre-requisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .58Administrator permission . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .58Configurationparameters ........................................................................... 58Schemaattributes................................................................................... 59Account attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .59Group attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .61Additionalinformation .............................................................................. 61Performance improvement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .61Partitioning Aggregation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .61Creating the Component Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .61Creating the Component interface jar file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .61Configuring the Component Interface Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .62Troubleshooting.................................................................................... 63

Chapter7:SailPointSiebelIntegrationModule ...................................65Overview........................................................................................... 65Supported features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .65Supported Managed Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .66Pre-requisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .66Administrator permission . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .66Configurationparameters ........................................................................... 66Schemaattributes................................................................................... 68Account attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .68Account Group attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .68Adding new custom attributes in schema . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .69Provisioningpolicyattributes....................................................................... 69Troubleshooting.................................................................................... 70

Chapter8:SailPointNetSuiteIntegrationModule ................................71Overview........................................................................................... 71Supported features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .71Supported Managed Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .72Administrator permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .72Configurationparameters ........................................................................... 72Schemaattributes................................................................................... 73Account attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .73Group attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .74Schema extension and custom attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .74ProvisioningPolicyattributes ....................................................................... 75Additionalinformation .............................................................................. 76NetSuite Application Program Interface (API) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .76

MainframeIntegrationModules .....................................77Chapter9:SailPointRACFIntegrationModule....................................79Overview........................................................................................... 79Supportedfeatures ................................................................................. 79InstallingRACFIntegrationModule ................................................................. 79Chapter10:SailPointCA-TopSecretIntegrationModule .........................81Overview........................................................................................... 81Supportedfeatures ................................................................................. 81InstallingCA-TopSecretIntegrationModule......................................................... 81Chapter11:SailPointCA-ACF2IntegrationModule ...............................83Overview........................................................................................... 83Supportedfeatures ................................................................................. 83InstallingCA-ACF2IntegrationModule .............................................................. 83Chapter12:SailPointRACFLDAPIntegrationModule ............................85Overview........................................................................................... 85

Supported features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .85Supported Managed Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .86Pre-requisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .86Administrator permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .87Configurationparameters ........................................................................... 87SchemaAttributes .................................................................................. 88

Account attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .88Group attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .90ProvisioningPolicyAttributes....................................................................... 91Additionalinformation .............................................................................. 92Support for PassPhrase . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .92Support for Connection Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .92Implementing Secured Communication to RACF LDAP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .92Partitioning Aggregation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .95Troubleshooting.................................................................................... 96

Chapter13:SailPointTopSecretLDAPIntegrationModule .......................97Overview........................................................................................... 97Supported features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .97Supported Managed Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .98Administrator permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .98Configurationparameters ........................................................................... 98SchemaAttributes .................................................................................. 99Account attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .99TopSecretProfile attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .101TopSecretGroup attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .102ProvisioningPolicyAttributes......................................................................102Additionalinformation .............................................................................103Support for PassPhrase . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .103Implementing Secured Communication to Top Secret LDAP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103Partitioning Aggregation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .103

ServiceDeskIntegrationModules..................................123Chapter14:SailPointServiceNowServiceIntegrationModule ..................105Overview..........................................................................................105Supportedfeatures ................................................................................105Supportedplatforms ...............................................................................106Pre-requisites......................................................................................106

Service Request . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .106Incident and Change Request . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .107Basicconfiguration ................................................................................108Basic flow of Service Request . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .109Basic configuration of Service Request . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .109ConfiguringIdentityIQtointegratewithServiceNow ...............................................110IntegrationConfig XML files for Service Request, Incident and Change Request . . . . . . . . . . . . . . . . .113Configuration procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .116Retryable mechanism . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .117Upgrade...........................................................................................118Samplescenario ...................................................................................118Troubleshooting...................................................................................119

Chapter15:SailPointHPServiceManagerServiceIntegrationModule .........125Overview..........................................................................................125Supportedfeatures ................................................................................125Supportedplatforms ...............................................................................126Pre-requisites......................................................................................126ConfiguringHPServiceManagerforIdentityIQIntegration .........................................129Retryable mechanism . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .136

Additionalinformation .............................................................................136Creating New Service Request Catalog Item . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .137Exporting user details from HP Service Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .137Importing user details from HP Service Manager to IdentityIQ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .137Troubleshooting...................................................................................138

Chapter16:SailPointBMCRemedyServiceDeskServiceIntegrationModule ...141Overview..........................................................................................141Supportedfeatures ................................................................................141Supportedplatforms ...............................................................................141Pre-requisites......................................................................................142Basicconfiguration ................................................................................142ConfiguringBMCRemedyARSystemforIdentityIQIntegration .....................................143ConfiguringIdentityIQforBMCRemedyActionRequestSystemIntegration.........................145BMC Remedy Action Request System Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .145Creating multiple tickets in Remedy System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .149Samplescenario ...................................................................................150

GRCIntegrationModule ...........................................151Chapter17:SailPointSAPGRCIntegrationModule.............................153Introduction.......................................................................................153Supportedfeatures ................................................................................154Supportedplatforms ...............................................................................155Pre-requisites......................................................................................155

SAP GRC Server Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .155SAP Connector changes for supporting SAP GRC integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .156Creating IdentityIQ application of type SAP GRC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .156SAP GRC workflows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .158MinimumpermissionsrequiredforSAPGRCuser ..................................................160CustomworkflowsprovidedforSAPGRCintegration ...............................................161SAP GRC Data Generator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .161SAP GRC Request Executor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .163ImportingSAPGRCApplicationRule ...............................................................164Viewingthereports ................................................................................165Upgradeconsiderations ............................................................................165Additionalinformation .............................................................................166Creating a RFC Connection on SAP GRC system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .166Configuring cross system on SAP GRC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .167(Optional) Support for additional parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .168Troubleshooting...................................................................................170

ServiceManagementIntegrationModule(ServiceCatalog) .........173Chapter18:SailPointServiceNowServiceCatalogIntegration ..................175Overview..........................................................................................175Supportedfeatures ................................................................................176Supportedplatforms ...............................................................................177Pre-requisites......................................................................................177InstallationandconfigurationinServiceNow .......................................................177

Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .177Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .180ConfigurationinSailPointIdentityIQ ...............................................................181

Troubleshooting...................................................................................181ProvisioningIntegrationModules .................................183Chapter19:SailPointOracleIdentityManagerProvisioningIntegrationModule 185Overview..........................................................................................185Supportedfeatures ................................................................................185Supportedplatforms ...............................................................................186InstallingtheOIMIntegrationWebApplication .....................................................186TestingtheOIMIntegrationWebApplication .......................................................186

Properties that can be defined in xellerate.properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .187ConfigurationforOIMapplication ..................................................................188Testing the OIM Integration Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .188AggregatingfromOIM..............................................................................189Known/Openissues................................................................................189

Chapter20:SailPointIBMSecurityProvisioningIntegrationModule ...........191Overview..........................................................................................191Supportedfeatures ................................................................................191Supportedplatforms ...............................................................................191Generalconfiguration ..............................................................................192ConfigurationforAggregation ......................................................................192ConfigurationforProvisioning.....................................................................192Troubleshooting...................................................................................194MobileDeviceManagementIntegrationModules...................195Chapter21:SailPointAirWatchMobileDeviceManagementIntegrationModule 197Overview..........................................................................................197Supportedfeatures ................................................................................197Supportedplatforms ...............................................................................198Pre-requisites......................................................................................198Configuration ......................................................................................198

Application configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .199Operation specific configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .199

Chapter22:SailPointMobileIronMobileDeviceManagementIntegrationModule ..201Overview..........................................................................................201Supportedfeatures ................................................................................201Supportedplatforms ...............................................................................202Pre-requisites......................................................................................202Configuration ......................................................................................202


Chapter23:SailPointGoodTechnologyMobileDeviceManagementIntegrationMod-ule.............................................................................205Overview..........................................................................................205Supportedfeatures ................................................................................205Supportedplatform ................................................................................206Pre-requisites......................................................................................206Configuration ......................................................................................206


ITSecurityIntegrationModule ....................................209Chapter24:SailPointHPArcSightIntegrationModule..........................211Overview..........................................................................................211

Common Event Format (CEF) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .211Supportedfeatures ................................................................................212Supportedplatforms ...............................................................................212Pre-requisites......................................................................................212Configuration ......................................................................................212Configuration to export IdentityIQ Data to ArcSight . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .212Configuration to Import HP ArcSight CEF Flat File to SailPoint IdentityIQ . . . . . . . . . . . . . . . . . . . . .216

Appendix ..........................................................219Appendix A: Common Identity Management Integration Configuration . . . . . . . . . . . . 221Overview..........................................................................................221CreatingtheIntegrationConfigObject ..............................................................221Provisioning.......................................................................................226Appendix B: Component Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229CreatingcomponentinterfaceforPeopleSoftfinancials.............................................229

Basic structure of Custom Component (CI) from USERMAINT component for Users . . . . . . . . . . . . .229Basic structure of Custom Component (CI) from ROLEMAINT component for Roles . . . . . . . . . . . . .234Basic structure of Custom Component (CI) from PURGE_USR_PROFILE component for Delete User 236Basic structure of Component Interface (CI) from PURGE_ROLEDEFN component for Delete Role .237Deletingthecomponentinterface ..................................................................238

What is SailPoint IdentityIQ?

Chapter1:OverviewThe following topics are discussed in this chapter:What is SailPoint IdentityIQ? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1SailPoint Integration Guide Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

WhatisSailPointIdentityIQ?

SailPoint IdentityIQ is an identity and access management solution for enterprise customers that delivers a wide variety of IAM processes-including automated access certifications, policy management, access request and provisioning, password management, and identity intelligence. Furthermore, IdentityIQ has a flexible connectivity model that simplifies the management of applications running in the datacenter or the cloud.

Compliance Manager: IdentityIQ Compliance Manager automates access certifications, policy management, and audit reporting through a unified governance framework. This enables you to streamline compliance processes and improve the effectiveness of identity governance-all while lowering costs.

Lifecycle Manager: IdentityIQ Lifecycle Manager manages changes to access through user-friendly self-service request and password management interfaces and automated lifecycle events. It provides a flexible, scalable provisioning solution for addressing the constantly evolving access needs of your business in a way that's both efficient and compliant.

Privileged Account Management Module: IdenitityIQ Privileged Account Management module provides a standardized approach for extending critical identity governance processes and controls to highly privileged accounts, allowing IdentityIQ to be used as a central platform to govern standard and privileged accounts.

Connectors and Integration Modules: IdentityIQ offers Integration Modules that support the extended enterprise IT infrastructure. Third party provisioning and service desk integration enable multiple sources of fulfillment to access change. Service catalog integration supports a unified service request experience with integrated governance and fulfillment. Mobile device management integration mitigates risk posed by mobile devices through centralized visibility, control and automation. And IdentityIQ's IT security integration provides enhanced security with improved responsiveness and controls.

Open Identity Platform: SailPoint's Open Identity Platform lays the foundation for effective and scalable IAM within the enterprise. It establishes a common framework that centralizes identity data, captures business policy, models roles, and takes a risk-based, proactive approach to managing users and resources. The Open Identity Platform is fully extensible, providing robust analytics which transforms disparate and technical identity data into relevant business information, resource connectivity that allows organizations to directly connect IdentityIQ to applications running in the datacenter or in the cloud, and APIs and a plugin framework to allow customers and partners to extend IdentityIQ to meet a wide array of needs. An open platform allows organizations to build a single preventive and detective control model that supports all identity business processes, across all applications-in the datacenter and the cloud. SailPoint IdentityIQ applies consistent governance across compliance, provisioning and access management processes, maximizing investment and eliminating the need to buy and integrate multiple products.

Password Manager: IdentityIQ Password Manager delivers a simple-to-use solution for managing user passwords across cloud and on-premises applications policies from any desktop browser or mobile device. By providing intuitive self-service and delegated administration options to manage passwords while enforcing enterprise-grade password, IdentityIQ enables businesses to reduce operational costs and boost productivity.

SailPoint Integration Guide 1

SailPoint Integration Guide Overview

SailPointIntegrationGuideOverview

SailPoint Integration Modules deliver extended value from standard IdentityIQ deployments. SailPoint is committed to providing design, configuration, troubleshooting and best practice information to deploy and maintain strategic integrations. SailPoint has modified the structure of this document to aid customers and partner deployments. The focus of this document is product configuration and integration. For more details on design, troubleshooting and deployment best practices, refer to the Connector and Integration Deployment Center in Compass, SailPoints Online customer portal.

This document provides a guide to the integration between the following products and IdentityIQ: Healthcare Integration Module

- SailPoint Epic Integration Module Enterprise Resource Planning Integration Modules

- SailPoint PeopleSoft Integration Module

- SailPoint SAP Portal-User Management Web Service Integration Module

- SailPoint Siebel Integration Module

- SailPoint SAP Integration Module

- SailPoint Oracle E-Business Suite Integration Module

- SailPoint NetSuite Integration Module Mainframe Integration Modules

- SailPoint RACF Integration Module

- SailPoint CA - Top Secret Integration Module

- SailPoint CA - ACF2 Integration Module

- SailPoint RACF LDAP Integration Module

- SailPoint Top Secret LDAP Integration Module Service Desk Integration Modules

- SailPoint BMC Remedy Service Desk Service Integration Module

- SailPoint HP Service Manager Service Integration Module

- SailPoint ServiceNow Service Integration Module Service Management Integration Module (Service Catalog)

- SailPoint ServiceNow Service Catalog Integration Provisioning Integration Modules

- SailPoint Oracle Identity Manager Provisioning Integration Module

- SailPoint IBM Security Provisioning Integration Module Mobile Device Management Integration Modules

- SailPoint AirWatch Mobile Device Management Integration Module

- SailPoint MobileIron Mobile Device Management Integration Module

- SailPoint Good Technology Mobile Device Management Integration Module

2 SailPoint Integration Guide


IT Security Integration Module

- SailPoint HP ArcSight Integration Module GRC Integration Module

- SailPoint SAP GRC Integration Module

This document is intended for the above products and IdentityIQ System Administrators and assumes a high degree of technical knowledge.


HealthcareIntegrationModuleThis section contains information on the following section:

"SailPoint Epic Integration Module" on page 5

Note: For customers entitled to the SailPoint Healthcare Integration Module, the following requirements must be met: - access to the API of the Electronic Medical Record (EMR) system so that SailPoint Connector can connect to the EMR system - access to the EMR system's user interface or console to view results of any action performed by the SailPoint Connector through user interface or console This EMR access is required to support ongoing development, test and maintenance of SailPoint Healthcare Integration Module.

Overview

Chapter2:SailPointEpicIntegrationModule

The following topics are discussed in this chapter:Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Important consideration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5Supported features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6Supported Managed System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6Pre-requisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6Administrator permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Configuration parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7Schema Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Account attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7Group attributes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Provisioning Policy attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9Troubleshooting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Overview

Epic is a privately held health care software company. Epic offers an integrated suite of health care software centered on a MUMPS database. Their applications support functions related to patient care such as follows:

including registration and scheduling clinical systems for doctors, nurses, emergency personnel, and other care providers systems for lab technicians, pharmacists, and radiologists billing systems for insurers

SailPoint Epic Integration Module supports managing Epic accounts (EMP records), linked templates, linked sub-templates and InBasketClassifications.

Importantconsideration

For customers entitled to the SailPoint Healthcare Integration Module, the following requirements must be met: access to the API of the Electronic Medical Record (EMR) system so that SailPoint Connector can connect

to the EMR system access to the EMR system's user interface or console to view results of any action performed by the

SailPoint Connector through user interface or console

This EMR access is required to support ongoing development, test and maintenance of SailPoint Healthcare Integration Module.


http://en.wikipedia.org/wiki/Privately_held_companyhttp://en.wikipedia.org/wiki/Privately_held_companyhttp://en.wikipedia.org/wiki/MUMPS

Overview

Supportedfeatures

SailPoint Epic Integration Module supports the following features: Account Management

- Manage Epic EMP records as Accounts

- Aggregation, Refresh Account

- Create, Update, Delete

- Enable, Disable, Unlock, Change Password

- Add/Remove Entitlements

Entitlements are supported for Epic Linked Template, Linked Sub-templates and InBasketClassifications. Account - Group Management

- Manage Epic Linked Template as Account - Groups

- Manage Epic Linked Subtemplates as Account - Groups

- Manage Epic InBasketClassifications as Account - Groups

- Aggregation

SupportedManagedSystem

SailPoint Epic Integration Module supports Epic version 2015 and 2014.

Pre-requisites Epic Web Services: Epic API's have provided SOAP based service calls supported by the Epic Web services.

All communication with the Epic Interconnect server should be done via this service interface. For Epic Integration Module to work, following web services must be enabled on Interconnect server and authentication and encryption settings must be configured appropriately:

- Core: The Core WCF service fetches all the records matching specified filters. The Integration Module uses this service to:

read all records with INI type as EMP

get categories for Epic items 55 (BlockStatus) and 450 (InBasketClassifications)

- Personnel Management: The personnel management is a web service that implements all the provisioning related API's used by the Integration Module. In addition, it provides interface to read details about each of the EMP record that the Core service returns.

The Core and the Personnel Management Module of the Epic Web Services must be enabled for access. A debugging interface available on the Epic Web Services server, displays the enabled and disabled status of various Epic Web Services. This debugging interface must be used to view and verify that the required Web Services are enabled when integrating with IdentityIQ. The format of the URL for the diagnostic service is as follows:http://[epic-webservices-server-name]/[epic-instancename]/StatusPage/Main.aspx For example, http://example-epic-websrvr.acme.com/Interconnect-TST_POC2014/StatusPage/Main.aspx


Configuration parameters

Configuring the truststore: For configuring the trust store, server root certificate should be imported into the keystore for the remote API calls. Ensure that the following java system property is set to the path of the imported root certificate for SSL SOAP connections:Djavax.net.ssl.trustStore2 =

For customers using SOAP version 1.2, add the following entry in the application debug page and perform the supported operations:

Administratorpermissions

To manage SailPoint Epic Integration Module, ensure that Web Services mentioned in the Pre-requisites section must be enabled on Interconnect server.

Configurationparameters

This section contains the information that this Integration Module uses to connect and interact with the application.

The Epic Integration Module uses the following connection attributes:

SchemaAttributes

This section describes the different schema attributes.

Accountattributes

The following table lists the account attributes:

Attribute Description

URL Specifies the host and port of Epic instance.

Username Specifies the administrator or the unique ID of the user which has administrative level privileges to perform aggregation and provisioning operation on Epic system.

Password Password of the administrator user.

Manage Active Accounts Only

(Applicable to Account aggregation only) By default this is selected and will aggregate only active accounts during account aggregation.

Page Size Number of records to fetch during account or group aggregation in a single call to Interconnect server. Default: 500

Attribute name Description

UserID Unique ID of the Epic user.

Name The Epic user's name, in LastName,FirstName MI format.


Schema Attributes

SystemLoginID The user's operating system login. The name must be unique.

UserAlias Another name by which this user is known. Typically used for maiden names or other name changes. In Last, First format.

StartDate The date the user started at the organization.

IsPasswordChangeRequired Password change required Flag

EndDate The date the user was terminated or left the organization.

DefaultLoginDepartmentID By default, when the user logs into Epic, he is presented with this department.

LinkedProviderID An NPI (National Provider Identifier), a pointer to the user's operating system login, or another ID created by third party.

LinkedSubtemplateIDs Sub-templates are used to provide modular configuration for many users and are highly configurable. Sub-templates with a lower index have priority.

LinkedTemplateID The list of templates the user is allowed to select from Epic.

Templates are used to provide modular configuration for many users and are highly configurable.

AuthenticationConfigurationID

A non-native authentication method (for example, LDAP) used to authenticate when user logs into Epic.

UserRoles User Roles combine to produce the look, feel, and behavior of Epic for a given user.

ExternalIdentifiers Manage user identity in multiple systems.

CustomUserDictionaries User's dictionary file to maintain their own spell check corrections.

InBasketClassifications Determines the messages the user receives in Epic.

Notes Text notes about the user.

ContactComment Comment associated with the creation of this user.

ContactDate Last modified date. Defaults to current date if not provided.

UserDictionaryPath File path at which the custom user dictionary files can be found.

LDAPOverrideID A string that can be provided to identify the user to the LDAP server in place of the SystemLogin.

IsActive Indicates whether the user is allowed to log into Epic.

IsBlocked Indicates whether the user is blocked from logging into Epic.

BlockReason Reason why the user account is blocked.

BlockComment Text comment about why the user is blocked. Maximum allowed length is 100 characters.

ReportGrouper1 Report groupers are used to segregate users for highly specific reporting and statistics needs.ReportGrouper2

ReportGrouper3



Provisioning Policy attributes

Groupattributes

The following table lists the Group attributes:

ProvisioningPolicyattributes

The following table lists the provisioning policy attributes for Create and Update Account:


Linked template attributes

LinkedTemplateID The ID of the LinkedTemplate.

LinkedTemplateName Name of the LinkedTemplate.

Linked Subtemplates attributes

LinkedSubtemplateIDs ID of the Linked Sub-template.

Sub-templates are used to provide modular configuration for many users and are highly configurable. Sub-templates with a lower index have priority.

LinkedSubTemplateName Name of the Linked Sub-template.

InBasketClassifications attributes

Number ID of the InBasketClassifications.

Title Description of the InBasketClassifications.

Abbreviation Abbreviation of the InBasketClassifications.


Name The Epic users name in LastName, FirstName, MI format.User ID User ID for the newly created user. If provided, it will create user with

specified ID else Epic will assign the ID automatically.

Password Password of the user to be created.

DefaultLoginDepartment Represents the department of the user. For example, INITIAL DEPARTMENT

DefaultLinkedTemplateID The default linkable template for the user.

StartDate Defaults to the initial start date.

EndDate End date of the user account.

SystemLoginID Unique name of the users operating system login. The maximum length is 254 characters.

Notes Free text notes about the user.

ContactComment A comment associated with the creation of the user.


Provisioning Policy attributes

LDAPOverrideID A string that can be provided to identify the user to the LDAP server in place of the SystemLogin.

UserDictionaryPath File path at which custom user dictionary files can be found.

AuthenticationConfigurationID

If a non-native authentication method is used authenticate user when he logs into Epic.

CustomUserDictionary_index_0

A number that indicates the priority of the value. Lower order numbers are given more priority.

CustomUserDictionary_value_0

The string being stored at the indexed position.

CustomUserDictionary_index_1

A number that indicates the priority of the value. Lower order numbers are given more priority.

CustomUserDictionary_value_1

The string being stored at the indexed position.

ExternalIdentifier_id_0 The external ID to be set for this user.

ExternalIdentifier_type_0 Type of this ID - that is, for what kind of system it is valid.

ExternalIdentifier_password_0

Password to set for specific external ID.

ExternalIdentifier_isActive_0

Value must be set to true in case this ID must be marked as active, that is, if the user can use it in the external system; else false.

ExternalIdentifier_id_1 External ID to be set for this user.

ExternalIdentifier_type_1 Type of this ID - that is, for what kind of system it is valid.

ExternalIdentifier_password_1

Password to set for this external ID.

ExternalIdentifier_isActive_1

Value must be set to true in case this ID must be marked as active, that is, if the user can use it in the external system; else false.

Optional attributes

If required user can add the following attributes manually to Provisioning Policy after upgrading to IdentityIQ version 7.2

IsActive Indicates whether the user is allowed to log into Epic.

IsBlocked Indicates whether the user is blocked from logging into Epic.

BlockReason Reason why the user account is blocked.

BlockComment Text comment about why the user is blocked. Maximum allowed length is 100 characters.



Troubleshooting

Note: To provide multiple values for CustomUserDictionary and ExternalIdentifier, provisioning policy can be updated to include multiple attribute to accept multiple values. For example, to provide 3 custom user dictionaries, following attributes can be added in Provisioning Policy: - CustomUserDictionary_index_2 - CustomUserDictionary_value_2 - CustomUserDictionary_index_3 - CustomUserDictionary_value_3 The last characters of these values keep incrementing for any additional attributes added.

Troubleshooting

1-WhileexecutinganyoperationsinIdentityIQerrormessagesaredisplayedWhile executing any operations in IdentityIQ, either of the following error messages are displayed:

java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-emptyOR sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested targetResolution: Configure the certificates correctly.

2-AnerrormessageappearsifthecoreserviceisnotenabledIf the Core service is not enabled the following error message appears in the interface or log file:

ApplicationFault:FacadeServiceDisabled The requested business service is disabled.

Resolution: Enable the Core web services on the Epic web services server.

3-ForJBossEAPserver,testconnectionfailswithanerrormessageThe following error message appears when the test connection fails for JBoss EAP Server:

Exception while connecting to Personnel serviceResolution: Copy the addressing-1.6.1.mar file from \\WEB-INF\lib\ directory to deployment directory of JBoss (for example, jboss-eap-6.2\standalone\deployments) in order to work with certificate based authentication on JBoss.

Provide the path to MAR files as a parameter while starting JBOSS EAP server (for example, standalone.bat -Daxis2.repo=\\jboss-eap6.2\standalone\deployments\addressing-1.6.1.mar)

4-NotabletogenerateSOAPEnvelopelogginginEpicIntegrationModuleWhen performing any operation, not able to generate SOAP Envelope logging in Epic Integration Module.

Resolution: To enable advanced SOAP Envelope logging in Epic Integration Module configure the following attribute in xml application schema:


Troubleshooting

Note: Download the sailpoint_epic_connector_axis2.xml file from

IdentityIQ.zip/integration directory and copy it into identityiq\WEB-INF\classes directory in order to generate SOAP logs.

5-AccountAggregationTaskentersintoanendlessloopAccount Aggregation Task enters into an endless loop when GetRecords API enters into endless loop.

Resolution: To avoid the GetRecords API call getting into an endless loop, a GetRecordsCallsthreshold parameter is used. The default value of GetRecordsCallsthreshold is 5000. To increase the count of GetRecordsCallsthreshold, enter the following key in Epic application xml:

where, value is the maximum number of calls that would be made to Interconnect server.

6-UnabletoperformTestConnection/AccountAggregationfortrailingbackslashThe following message appears when unable to perform the Test Connection/Account Aggregation for trailing backslash:

ERROR http-nio-8080-exec-8 apache.axis2.engine.AxisEngine:219 - The [action] cannot be processed at the receiverResolution: Provide a link as follows without the trailing backslash at the end:

http://example-epic-websrvr.acme.com/Interconnect-TST_POC2014


http://example-epic-websrvr.acme.com/Interconnect-TST_POC2014

EnterpriseResourcePlanning IntegrationModules

This section contains information on the following sections: SailPoint PeopleSoft Integration Module SailPoint SAP Portal-User Management Web Service Integration Module SailPoint Siebel Integration Module SailPoint SAP Integration Module SailPoint Oracle E-Business Suite Integration Module SailPoint NetSuite Integration Module

Overview

Chapter3:SailPointSAPIntegrationModule

The following topics are discussed in this chapter:Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Supported features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15Supported Managed Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16Pre-requisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16Administrator permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Configuration parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21Schema attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Account attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23Group attributes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27Schema extension and custom attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28Upgrade considerations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

Provisioning Policy attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28Create account attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Additional information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29Entitlement validity period . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29CUA support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29Entitlement Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29Password Change . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29Logon and Communication Language attributes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31Delta Aggregation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31Partitioning Aggregation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

Troubleshooting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

Overview

SAP Enterprise Resource Planning software solution is an integrated software solution that incorporates the key business functions of the organization.

The SAP Integration Module aggregates and provisions all the users along with their roles/profiles of the SAP system.

SailPoint SAP Integration Module supports provisioning to a standalone SAP system as well as SAP Central User Administration (CUA) system.

Supportedfeatures

SailPoint SAP Integration Module supports the following features: Account Management

- Manages SAP users as Accounts

- Aggregation, Partitioning Aggregation, Delta Aggregation, Refresh Accounts, Pass Through Authentication


Overview

For more information on Delta Aggregation and Partitioning Aggregation, see Additional information on page 29.Note: SAP Integration Module aggregates Generated Profile associated to Role as a part of

Account-Group Aggregation.

- Create, Update, Delete

- Enable, Disable, Unlock

- Change PasswordNote: For Change password in Permanent Mode ensure that the SNC is configured on SAP

server. The log on session during which a productive password is set must be secured using Secure Network Communications (SNC).

Note: SAP recommends that setting of productive passwords is more risky than setting an initial one, therefore additional security checks must be applied as follows: - The log on session during which a productive password is set must be secured using Secure Network Communications (SNC). - The user needs an additional authorization to set a productive password (authorization object: S_USER_GRP, activity: 'PP' - Set Productive) For more information, see SAP note https://service.sap.com/sap/support/notes/1287410 (SAP Service marketplace login required)

- Add/Remove Entitlements

Entitlements are Roles (for user), Profiles (for user), UserGroup (User group of the user).

- Add /Remove Contractual User Type ID Account - Group Management

- Manages SAP Roles as Account-Groups

- Manages SAP Profiles as Account-GroupsNote: Few system composite profiles might have child profiles which are not present in SAP

system. For example, for each release composite profile SAP_NEW contains a single profile SAP_NEW_, (for example, SAP_NEW_21D). This profiles holds its release status. Profiles like SAP_NEW_ may not be aggregated.

- Aggregation, Refresh GroupsNote: In Account-Group aggregation for SAP CUA landscape, SAP Integration Module will not

fetch child roles, child profiles of any composite role and profile, as CUA system does not maintain child level roles and profile details for child subsystems. Same way it will not fetch TCodes and Generated Profile for group object type.

SupportedManagedSystems

Following versions of SAP NetWeaver system are supported by the SAP Integration Module: SAP NetWeaver 7.5, 7.4, 7.31, 7.3, 7.2, 7.1 and 7.0

Note: SailPoint SAP Integration Module manages ABAP users. For more information, see "Supported features" on page 15.

Pre-requisites

SAP JCO version 3.0.x libraries, along with sapjco3.dll (on Microsoft Windows) or libsapjco3.so (on UNIX), must be present in the java.library.path directory on the host. The JCO libraries (JCO Release 3.0.x) must


https://service.sap.com/sap/support/notes/1287410https://service.sap.com/sap/support/notes/1287410https://service.sap.com/sap/support/notes/1287410https://service.sap.com/sap/support/notes/1287410

Overview

be downloaded from the SAP website by navigating to the customer service marketplace and download the Java Integration Module.

Administratorpermissions

The following table lists the required permissions for the specific operations mentioned below in this section:

The role assigned to the SAP Administrative user must have the following Authorization Objects as mentioned in the tables below.

Table 1 Operation specific required permissions

Operation Required permissions

Test Connection Test Connection

Account Aggregation Test Connection and Account Aggregation

Note: For Account Aggregation of CUA systems, additional permissions must be executed as specified in the Account Aggregation section.

Group Aggregation Test Connection and Group Aggregation

Note: For Group Aggregation of CUA systems, additional permissions must be executed as specified in the Group Aggregation section.

Delta Aggregation Test Connection, Account Aggregation and Delta Aggregation

Create Account Test Connection, Account Aggregation and Create Account

Note: For Create Account of CUA systems or SNC network, additional permissions must be executed as specified in the Create Account (Create user with assign role and profiles) section.

Enable/Disable/Unlock Account Test Connection, Account Aggregation and Enable/Disable/Unlock Account

Delete Account Test Connection, Account Aggregation and Delete Account

Add/Remove Entitlement Test Connection, Account Aggregation and Add/Remove Entitlement

Change Password Test Connection, Account Aggregation and Change Password

Note: For Change Password of SNC network, additional permissions must be executed as specified in the Add/Remove Entitlements and Change Password section.


Overview

TestConnection

AccountAggregation

Additional permissions for CUA systems

Authorization Objects

Field name Field description Field value

S_RFC ACTVT Activity 16 - Execute

RFC_NAME Name of RFC object RFCPING

RFC_TYPE Type of RFC object FUGR, FUNC



S_RFC RFC_NAME Name of RFC object BAPI_USER_GETLIST, BAPI_USER_GET_DETAIL, DDIF_FIELDINFO_GET, MSS_GET_SY_DATE_TIME, RFC_GET_FUNCTION_INTERFACE, SDTX, SMSSDATA1, SU_USER

S_TABU_NAM ACTVT Activity 03 - Display

TABLE Name TABLE USR06, USR02, TUTYP

S_USER_GRP ACTVT Activity 03 - Display

CLASS User group in user master maintenance

* or specify the Group you want to assign for the user.

For example, SUPER



S_RFC RFC_NAME Name of RFC object BAPI_USER_LOCACTGROUPS_READ, BAPI_USER_LOCPROFILES_READ


Overview

GroupAggregation

Additional permissions for CUA systems

DeltaAggregation



S_RFC ACTVT Activity 03 - Display

RFC_NAME Name of RFC object BAPI_HELPVALUES_GET, PRGN_ACTIVITY_GROUPS_LOAD_RFC, PRGN_EXCHANGE, COLL_ACTGROUPS_GET_ACTGROUPS, DDIF_FIELDINFO_GET, MSS_GET_SY_DATE_TIME, PRGN_COLLECTIVE_ACTGROUPS, RFC_GET_FUNCTION_INTERFACE, SDTX, SMSSDATA1

S_TABU_NAM TABLE Name TABLE AGR_FLAGS, AGR_PROF, AGR_TCODES, AGR_TEXTS (Roles), USR11, UST10C (Profiles)



S_TABU_NAM TABLE Name TABLE (Profiles) USRSYSPRF, USRSYSPRFT (Roles) USRSYSACTT, USRSYSACT



S_RFC RFC_NAME Name of RFC object /SAILPOIN/USR_CHANGE_DOC_USERS, /SAILPOIN/IDENTITYIQ_FUGR, /SAILPOIN/USR_CHANGE_DOC_ROLES

S_TABU_NAM TABLE Name TABLE USBAPILINK

S_USER_GRP ACTVT Activity 08 - Display change document


Overview

CreateAccount(Createuserwithassignroleandprofiles)

For SNC (Secure Network Communication)

Enable/Disable/UnlockAccount

DeleteAccount



S_USER_GRP ACTVT Activity 01 - Create or generate

S_RFC RFC_NAME Name of RFC object SDIFRUNTIME

S_USER_SAS ACTVT Activity 22 - Enter, Include, Assign, 01 - Create

ACT_GROUP Role name * or you can specify role name for which you have assigned



For example, SUPER

PROFILE Auth. profile in user master maintenance

* or you can specify Profile for which you have assigned

SUBSYSTEM Receiving system for central user administration

* or specify the system you are targeting.



S_USER_GRP ACTVT Activity PP Set Productive

Authorization Objects Field name Field description Field value

S_USER_GRP ACTVT Activity 05 - Lock

Authorization Objects Field name Field description Field value

S_USER_GRP ACTVT Activity 06 - Delete



Add/RemoveEntitlementsandChangePassword

- (For Change Password only) For SNC (Secure Network Communication)

Configurationparameters

The following table lists the configuration parameters of SAP Integration Module:



S_USER_GRP ACTVT Activity 02 - Change, 05 - Lock

S_RFC RFC_NAME Name of RFC object SDIFRUNTIME

S_USER_SAS ACTVT Activity 22 - Enter, Include, Assign

ACT_GROUP Role name * or you can specify role name for which you have assigned



For example, SUPER

PROFILE Auth. profile in user master maintenance

* or you can specify Profile for which you have assigned

SUBSYSTEM Receiving system for central user administration

* or specify the system you are targeting.



S_USER_GRP ACTVT Activity PP Set Productive

Parameters Description

SAP Host* Host on which the SAP Server is running

System Number* 2-digit SAP system number (Default: 00)

Client Number* 3-digit SAP client number (Default: 001)

Client Language* 2-letter SAP client language (Default: EN)

Username* SAP Administrator user

Password* SAP Administrator user password

CUA system For CUA system detection

JCO RFC Trace If checked, enables SAP JCO RFC trace

Unlock on Password Change If checked, the account would be unlocked while changing password.

Note: Account will be unlocked at the time of set password only if the account is locked by incorrect password attempts.



Note: Attributes marked with * sign are the mandatory attributes.

Partition Enabled Check box to determine if partition aggregation is required.

Partition Statements Criteria to specify the range of users to be downloaded.

For example, If the range is specified as A-M, then this specifies that all the users whose User IDs are between A and M (including A and M) would be treated as one partition and downloaded.

To specify more than one partition the entries should be separated using a new line character. For more information, see Partitioning Aggregation on page 34.

SNC Configuration parameters

SNC Mode Represents Secure Network Connection which also internally signifies jco.client.snc_mode in SAP. SNC will be enabled if the mode is selected as ON whose value is 1. If SNC is off, the value will be 0.

SNC Level of Security Represents the quality of protection level (QOP) which is defined as follows:

1 Apply authentication only2 Apply integrity protection (authentication)3 Apply privacy protection (integrity and authentication)8 Apply the default protection9 Apply the maximum protection

In SAP, it relates to jco.client.snc_qop. Default: 1SNC Partner Name Represents SNC partner.

For example, provide input as p:CN=R3, O=XYZ-INC, C=EN in SAP. If SNC is configured, it relates to jco.client.snc_partnername.

SNC Name Represent SNC name which internally signifies jco.client.snc_myname. It overrides default SNC partner.

SNC Library Path to library which provides SNC service. It internally signifies jco.client.snc_lib.

For example, the value to be passed: on Microsoft Windows: C:/sapcryptolib/sapcrypto.dll (the location of the cryptographic library)

on UNIX: /opt/sailpoint/lib/custom/libsapcrypto.so (the location of the cryptographic library)

SAP GRC Settings parameters

Enable SAP GRC Enables the application for SAP GRC policy violation checks.

SAP GRC Connector Name SAP GRC Connector name which is configured on GRC server for this application.

Note: For more information on SAP GRC configuration, see SailPoint IdentityIQ Integration Guide.

Parameters Description


Schema attributes

Schemaattributes

This section describes the different schema attributes.

Accountattributes

The following table lists the account attributes:

Attributes Description

Academic Title (Address) Academic title of the user.

Academic Title 2 (Address) 2nd Academic title of the user.

Addr Number (Address) Address number of the user.

Alias (Logon Data) Alias name.

Birth Name (Address) Name at birth.

Building (Address) Name of the building.

Building 2 (Address) Name 2 of the building.

Building Long (Address) Long name of the building.

Care of (Address) Care of name.

Check Status (Address) Check status for the user.

City (Address) Name of the city.

City Number (Address) Number of the city.

Code (Address) Signature initials

Communication Language (Address) Communication language of the user.

Note: The different values to be set for this attribute are mentioned in Logon and Communication Language attributes on page 31.

Communication type (Address) Communication method for the user.

Company (Address) Name of the company.

Company Address (Address) Address of the company.

Company Address 2 (Address) Address 2 of the company.



Contractual User Type ID Contractual user types associated with user.

Note: For more information, see Upgrade considerations on page 28.

Country (Address) Name of the country.

Country ISO (Address) ISO name of the country.


Schema attributes

Delivery District (Address) Delivery district name.

Department (Address) Department name.

District (Address) District name.

District Number (Address) District number for the user.

E-Mail (Address) E-mail address.

E-Mail List (Address) E-mail address list.

Employee Number (Address) Employee number of the user.

Fax (Address) Fax number.

Fax Extension (Address) Fax extension number

Fax List (Address) Fax number list

First name (Address) First name of the user

Floor (Address) Floor number

Floor 2 (Address) Floor 2 number

Format (Address) Format name

Full Name (Address) Full name of the user

Full Name 2 (Address) Full name 2 of the user

Function (Address) Function of the user

GUI Flag Unsecured communication permitted.

House Number 2 (Address) House number 2 of the user

House Number (Address) House number of the user

House Number 3 (Address) House number 3 of the user

Inhouse ML (Address) Inhouse mail of the user

Initials (Address) Initials of the user

Language CR P (Address) CR P language of the user

Language ISO (Address) ISO language of the user

Language UCP ISO (Address) CP ISO language of the user

Language UP ISO (Address) P ISO language of the user

Last Name (Address) Last name of the user

Location (Address) Location name

Logon Language (Defaults) Logon language for the user.

Note: The different values to be set for this attribute are mentioned in Logon and Communication Language attributes on page 31.

Middle Name (Address) Middle name of the user



Schema attributes

Name Country (Address) Name of the country

Nickname (Address) Nickname of the user

Notes (Address) Notes for the user

Other City (Address) Name of the other city

Other City Number (Address) Number of the other city

Pager/SMS List (Address) Pager or SMS number list in the format pager_type#pager_number

Parameter List (Parameters) Parameter list in the format prameter_ID=parameter_value

Pboxcity Number (Address) Pbox number of the city

PCODE 1 Ext (Address) Postal code 1 extension



PO Box (Address) PO box number

PO Box City (Address) PO box number of the city

PO Box City ISO (Address) PO box number of the ISO city

PO Box Country (Address) PO box number of the country

PO Box Region (Address) PO box number of the region

PO Box Without Number (Address) PO box without number

Postal Code (Address) Postal code of the user

Postal Code 2 (Address) 2nd postal code of the user

Postal Code 3 (Address) 3rd postal code of the user

Prefix 1 (Address) 1st prefix

Prefix 2 (Address) 2nd prefix

Print Immediately (Defaults) Print immediately flag for the user

Printer List (Address) Print destination list

Region (Address) Name of the region

Region Group (Address) Group name of the region

Remote Communication List (Address)

Communication notes list

Remote Function Call List (Address) Remote function call destination list

Remote Mail List (Address) Remote mail list of the user

Room Number (Address) Room number of the user

Room Number 2 (Address) 2nd room number of the user

Reference User Reference user name.

Search Term 2 P (Address) 2nd search term P for the user



Schema attributes

Search Term P (Address) Search term P for the user

Search Term 1 (Address) 1st search term for the user

Search Term 2 (Address) 2nd search term for the user

Second Name (Address) Second name of the user

Start Menu (Defaults) Start menu for the user

Street Abbreviation (Address) Street abbreviation for the user

Street Address (Address) Street address of the user

Street Address 2 (Address) Street address 2 of the user



Street Number (Address) Street number of the user

SNC Name SNC name.

Tax Jurisdiction Code (Address) Tax jurisdiction code of the user

Telephone (Address) Telephone number

Telephone Extension (Address) Telephone extension number

Telephone List (Address) Telephone number list

Teletex List (Address) Teletex number list

Telex List (Address) Telex number list

Time Format (Defaults) Time format of the user

Time Zone (Address) System time zone.

Title (Address) Title of the user

Title SPPL (Address) Title SPPL of the user

Transportation Zone (Address) Transportation zone of the user

TZone (Defaults) Personal time zone.

URL (Homepage) List (Address) URL (Homepage) address list in the format URI_type#URI_name

User Last Logon Time User last log in time.

User Last Logon Date User last log in date.

Productive Password User password set in permanent mode.

User Name User Name.

User Title (Address) Title of the user

User Type (Logon Data) Type of the user

User Valid From (Logon Data) Valid from date for the user

User Valid To (Logon Data) Valid to date for the user.

User Group (Groups) User group of the user



Schema attributes

Groupattributes

The following table lists the different group attributes:

X.400 List (Address) Organization name list

Roles Roles for user.

Note: The Account Aggregation fetches the active roles (composite /simple) assigned directly to the user.

Profiles Profiles for user.


Group Object Type = Role

Name Role name.

Type Role type.

Description Role descr

SailPoint Integration Guide - usermanual.wiki · Installation and configuration in ServiceNow ......

Documents

Transcript of SailPoint Integration Guide - usermanual.wiki · Installation and configuration in ServiceNow ......